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-- The MAILING DATE of this communication appears on th cov rsh t with the correspondence addr ss - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH (S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)E3 Responsive to communication(s) filed on 26 July 2001 . 
2a)D This action is FINAL. 2b)l3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G, 213. 

Disposition of Claims 

4) 03 Claim(s) 1-96 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) [X] Claim(s) 1-96 is/are rejected. 

7) M Claim(s) 5-14,21-30,37-46,53-62,68-78 and 85-94 is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) ^3 The drawing(s) filed on 30 October 2001 is/are: a)K accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. \3 Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/Mail Date. . 

3) 03 Information Disclosure Statement(s) (PTO-1449 or PTO/SB/08) 5) □ Notice of Informal Patent Application (PTO-152) 

Paper No(s)/Mail Date 7/30/2002 . 6) Q Other: . 
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This action is in response to the communication filed on 07/26/2001. 

DETAILED ACTION 

1 . Claims 1-96 have been examined. 

Title 

2. The title of the invention is acceptable. 

Priority 

3. No claim for priority has been made for this application. 

4. The effective filing date for the subject matter defined in the pending claims in this 
application is 07/26/2001. 

Information Disclosure Statement 

5. The information disclosure statement (IDS) submitted on 7/30/2002 is in compliance 
with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information 
disclosure statement. 

Drawings 

6. The drawings filed on 10/30/2001 are acceptable for examination proceedings. 

Claim Objections 

7. Claims 5-14, 21-30, 37-46, 53-62, 68-78, and 85-94 are objected to failing to comply 
with proper numbering. 

8. The applicant is reminded that a series of singular dependent claims is permissible in 
which a dependent claim refers to a preceding claim which, in turn, refers to another preceding 
claim. 
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A claim which depends from a dependent claim should not be separated by any claim 
which does not also depend from said dependent claim. It should be kept in mind that a 
dependent claim may refer to any preceding independent claim. In general, applicant's sequence 
will not be changed. See MPEP § 608.01(n). 

Claim Rejections - 35 USC §102 

9. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign 
country or in public use or on sale in this country, more than one year prior to the date of 
application for patent in the United States, 

10. Claims 1-3, 5, 17-19,21, 33-35, 37, 49-51, 53, 65-67, 69, 81-83, and 85 are rejected 
under 35 U.S.C 102(b) as being anticipated by Cozza (US Patent Number 5,649,095). 

11. Regarding claims 1, 33, and 65, Cozza disclosed a system, method, and computer 
program product (See Cozza Claims and Col. 1 Lines 26-33) comprising a computer program 
operable to control a computer to detect a known computer program within a packed computer 
file, said packed computer file being unpacked upon execution, said computer program 
comprising (See Cozza Abstract and Col. 3 Paragraph 6: resource data reading logic operable to 
read resource data within said packed computer file (See Cozza Col. 6 Lines 21-23 and 29-34), 
said resource data specifying program resource items used by said known computer program 
(See Cozza Col. 2 Paragraph 7) and being readable by a computer operating system without 
dependence upon which unpacking algorithm is used by said packed computer file (See Cozza 
Col. 6 Paragraphs 2-3 wherein the compressed file is not decompressed in order to read the 
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resource forks information); and resource data comparing logic operable to compare said 
resource data with characteristics of resource data of said known computer program (See Cozza 
Col. 7 Lines 35-39 and Col. 1 Lines 58-65) to detect a match with said known computer program 
indicative of said packed computer file containing said known computer program (See Cozza 
Col. 7 Lines 35-39 and Col. 1 Lines 58-65). 

12. Regarding claims 2, 34, and 66, Cozza disclosed that said known computer program is 
one of: a Trojan computer program; and a worm computer program (See Col. 1 Lines 22-32 and 
Col. 7 Lines 35-39). 

13. Regarding claims 3, 35, and 67, Cozza disclosed that said resource data comparing logic 
is operable to compare said resource data with characteristics of a plurality of known computer 
programs to detect if said packed computer program contains one of said plurality of known 
computer programs (See Cozza Col. 7 Lines 35-40). 

14. Regarding claims 5, 37, and 69, Cozza disclosed that said program resource items used 
by said known computer program include one or more of: icon data; string data; dialog data; 
bitmap data; menu data; and language data (See Cozza Col. 2 Paragraph 7). 

15. Claims 17, 49, and 81 are rejected for the same reasons as claims 1, 33, and 65, and 
further because it was inherent that the characteristic data was generated in order for the data to 
have been compared (See Cozza Col. 1 Lines 58-65). 

16. Claims 18-19, 21, 50-51, 53, 82-83, and 85 are rejected for the same reasons as claims 2- 
3, and 5, and further because it was inherent that the characteristic data was generated in order 
for the data to have been compared (See Cozza Col. 1 Lines 58-65). 
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Claim Rejections - 35 USC §103 

17. The following is a quotation of 35 U S C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject 
matter sought to be patented and the prior art are such that the subject matter as a whole 
would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived 
by the manner in which the invention was made. 

18. Claims 4, 9-11, 13-14, 20, 25-27, 29-30, 36, 41-43, 45-46, 52, 57-59, 61-62, 68, 73-75, 
77-78, 84, 89-91, and 93-94 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Cozza as applied to claims 1,17, 33, 49, 65, and 81 above respectively, and further in view of 
Hypponen et al. (US Patent Number 6,577,920) hereinafter referred to as Hypponen. 

19. Regarding claims 4, 20, 36, 52, 68, and 84, Cozza disclosed comparing the resource data 
with resource data of a known program (See Col. 1 Lines 58-65, Col. 6 Paragraph 3 and Col. 7 
Lines 35-40), but Cozza failed to specifically disclose using program fingerprint data for the 
comparison. 

Hypponen teaches a method of virus scanning in which signatures (fingerprint) of a file 
are created and compared to signatures of known infected files in order to detect viruses (See 
Hypponen Col. 3 Lines 14-25). 

It would have been obvious to the ordinary person skilled in the art at the time of 
invention to employ the teachings of Hypponen in the virus scanning of Cozza by creating a 
signature of the resources of the compressed file and comparing it to previous signatures. This 
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would have been obvious because the ordinary person skilled in the art would have been 
motivated to scan the files as quickly as possible, without compromising security. 

20. Regarding claims 9, 25, 41, 57, 73, and 89, the combination of Cozza and Hypponen 
disclosed the fingerprint data including a checksum (See Hypponen Col. 4 Lines 55-59) value 
calculated in dependence upon one or more of: a number of program resource items specified 
beneath each node within hierarchically arranged resource data; string names associated with 
program resource items within said resource data; and sizes of program resource items within 
said resource data (See Cozza Col. 5 Lines 1-9 wherein it would have been inherent that the size, 
or amount of data, the string names in the data, and the number of the resource items in that data 
would have effected the calculation of the checksum). 

21. Regarding claims 14, 30, 46, 62, 78, and 94, Cozza and Hypponen disclosed the 
checksum being SHA, which shifts after each operation (See Hypponen Col. 4 Lines 56-59). 

22. Regarding claims 10, 26, 42, 58, 74, and 90, the combination of Cozza and Hypponen 
disclosed the signature including multiple resource items (See Cozza Col. 1 Lines 63-65 and Col. 
2 Paragraph 7). 

23. Regarding claims 1 1, 27, 43, 59, 75 and 91, the combination of Cozza and Hypponen 
disclosed that said fingerprint data includes a location within said resource data of an entry 
specifying a program resource item having a largest size (See Cozza Col. 6 Lines 29-45). 

24. Regarding claims 13, 29, 45, 61, 77,and 93, the combination of Cozza and Hypponen 
disclosed that said fingerprint data includes a flag indicating which data is included within said 
fingerprint data (See Cozza Col. 5 Paragraph 3). 
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25. Claims 12, 28, 44, 60, 76, and 92 are rejected under 35 U.S.C 103(a) as being 
unpatentable over the combination of Cozza and Hypponen as applied to claims 4, 20, 36, 52, 68, 
and 84 above respectively, and further in view of Hodges et al. (US Patent Number 6,269,456) 
hereinafter referred to as Hodges. 

The combination of Cozza and Hypponen disclosed creating fingerprint data for detecting 
viruses (See rejection of claim 4 above), but failed to disclose providing a time of compilation in 
the fingerprint data. 

Hodges teaches that in a virus protection system, virus signature files can be 
automatically updated with new signatures when necessary, if a latest revision time is provided 
with the files (See Hodges Col. 2 Paragraph 6 and Col. 4 Paragraph 6). 

It would have been obvious to the ordinary person skilled in the art at the time of 
invention to employ the teachings of Hodges in the virus scanning system of Cozza and 
Hypponen by providing a time of revision with each signature. This would have been obvious 
because the ordinary person skilled in the art would have been motivated to ensure that the 
system was protected against the most recently discovered viruses. 

26. Claims 6-8, 15-16, 22-24, 31-32, 38-40, 47-48, 54-56, 63-64, 70-72, 79-80, 86-88, and 
95-96 are rejected under 35 U.S.C. 103(a) as being unpatentable over Cozza as applied to claims 
1,17, 33, 49, 65, and 81 above, and further in view of Pietrek ("Peering Inside the PE: A Tour of 
the Win 32 Portable Executable"). 

Regarding claims 16, 32, 48, 64, 80, and 96, Cozza disclosed detecting a known 
computer program in a compressed computer file, the file including resource data (See rejection 
of claim 1 above), but failed to specifically name the Win32 PE file as one of these files. 
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Pietrek teaches that a Win32 PE file is an executable file which contains un-initialized 
code and resources, which when executed the code is initialized using the resources (See Pietrek 
Page 21 PE File Base Relocations). 

It would have been obvious to the ordinary person skilled in the art at the time of 
invention to employ the teachings of Pietrek in the virus detector of Cozza by allowing the 
scanning of Win32 PE files and their resources. This would have been obvious because the 
ordinary person skilled in the art would have been motivated to provide protection against Win32 
PE files containing viruses. 

Regarding claims 6-8, 22-24, 38-40, 54-56, 70-72, and 86-88, the combination of Cozza 
and Pietrek disclosed specifying a storage location for each resource item as an offset, and the 
size of each resource (See Pietrek Page 20 Table 13 Offsets and Page 21 Fig. 14 DWORD 
OffsetToData). 

Regarding claims 15, 31, 47, 63, 79, and 95, Cozza and Pietrek disclosed decompressing 
the computer program upon execution (See Pietrek Page 21 PE File Base Relocations). 

Conclusion 

27. Claims 1-96 have been rejected. 

28. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

a. Arnold et al. (US Patent Number 5,440,723) disclosed a method for creating virus 
signatures and using the signatures to detect viruses. 

b. Cozza (US patent Number 5,473,769) disclosed a method for scanning for viruses 
involving scanning the resource fork of a file. 
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c. 



Beetz (GB 2365158) disclosed a method for detecting viruses contained in a 



compressed executable. 
29. Please direct all inquiries concerning this communication to Matthew Henning whose 
telephone number is (571) 272-3790. The examiner can normally be reached Monday-Friday 
from 9am to 4pm, EST. 

If attempts to reach examiner by telephone are unsuccessful, the examiner's acting 
supervisor, Ayaz Sheikh, can be reached at (571) 272-3795. The fax phone number for this 
group is (703) 305-3718. 

Any inquiry of general nature or relating to the status of this application or proceeding 
should be directed to the Group receptionist whose telephone number is (703) 305-3900. 




Matthew Henning 
Assistant Examiner 
Art Unit 2131 
12/8/2004 




